diff options
| author | Asher Gomez <ashersaupingomez@gmail.com> | 2024-09-11 07:55:42 +1000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-10 21:55:42 +0000 |
| commit | ace1202227abeeac78db0266a13b451c1792a6ce (patch) | |
| tree | 3319bc3defab8dddc04e3907b7b7bece821fe094 | |
| parent | be0ba6d84f190f4fc1b4517e62d9d8ad30c8cfb1 (diff) | |
BREAKING(net): remove `Deno.ConnectTlsOptions.{certChain,certFile,privateKey}` and `Deno.ListenTlsOptions.certChain,certFile,keyFile}` (#25525)
Towards #22079
| -rw-r--r-- | cli/tsc/dts/lib.deno.ns.d.ts | 4 | ||||
| -rw-r--r-- | cli/tsc/dts/lib.deno.unstable.d.ts | 2 | ||||
| -rw-r--r-- | ext/net/02_tls.js | 109 | ||||
| -rw-r--r-- | ext/net/lib.deno_net.d.ts | 77 | ||||
| -rw-r--r-- | ext/net/lib.rs | 1 | ||||
| -rw-r--r-- | ext/net/ops_tls.rs | 43 | ||||
| -rw-r--r-- | tests/specs/future/runtime_api/main.js | 34 | ||||
| -rw-r--r-- | tests/specs/future/runtime_api/main.out | 3 | ||||
| -rw-r--r-- | tests/unit/tls_sni_test.ts | 5 | ||||
| -rw-r--r-- | tests/unit/tls_test.ts | 259 | ||||
| -rw-r--r-- | tests/unit_node/tls_test.ts | 6 |
11 files changed, 28 insertions, 515 deletions
diff --git a/cli/tsc/dts/lib.deno.ns.d.ts b/cli/tsc/dts/lib.deno.ns.d.ts index cd21b9276..2bc3b36a3 100644 --- a/cli/tsc/dts/lib.deno.ns.d.ts +++ b/cli/tsc/dts/lib.deno.ns.d.ts @@ -5356,7 +5356,7 @@ declare namespace Deno { export function serve( options: | ServeTcpOptions - | (ServeTcpOptions & TlsCertifiedKeyOptions), + | (ServeTcpOptions & TlsCertifiedKeyPem), handler: ServeHandler<Deno.NetAddr>, ): HttpServer<Deno.NetAddr>; /** Serves HTTP requests with the given option bag. @@ -5413,7 +5413,7 @@ declare namespace Deno { */ export function serve( options: - & (ServeTcpOptions | (ServeTcpOptions & TlsCertifiedKeyOptions)) + & (ServeTcpOptions | (ServeTcpOptions & TlsCertifiedKeyPem)) & ServeInit<Deno.NetAddr>, ): HttpServer<Deno.NetAddr>; diff --git a/cli/tsc/dts/lib.deno.unstable.d.ts b/cli/tsc/dts/lib.deno.unstable.d.ts index 25b3fde9e..88f78b8a5 100644 --- a/cli/tsc/dts/lib.deno.unstable.d.ts +++ b/cli/tsc/dts/lib.deno.unstable.d.ts @@ -168,7 +168,7 @@ declare namespace Deno { * @experimental */ export function createHttpClient( - options: CreateHttpClientOptions & TlsCertifiedKeyOptions, + options: CreateHttpClientOptions & TlsCertifiedKeyPem, ): HttpClient; /** **UNSTABLE**: New API, yet to be vetted. diff --git a/ext/net/02_tls.js b/ext/net/02_tls.js index c06c64747..a2cb65b83 100644 --- a/ext/net/02_tls.js +++ b/ext/net/02_tls.js @@ -13,7 +13,6 @@ import { op_tls_handshake, op_tls_key_null, op_tls_key_static, - op_tls_key_static_from_file, op_tls_start, } from "ext:core/ops"; const { @@ -50,45 +49,23 @@ async function connectTls({ alpnProtocols = undefined, keyFormat = undefined, cert = undefined, - certFile = undefined, - certChain = undefined, key = undefined, - keyFile = undefined, - privateKey = undefined, }) { if (transport !== "tcp") { throw new TypeError(`Unsupported transport: '${transport}'`); } - let deprecatedCertFile = undefined; - - // Deno.connectTls has an irregular option where you can just pass `certFile` and - // not `keyFile`. In this case it's used for `caCerts` rather than the client key. - if (certFile !== undefined && keyFile === undefined) { - internals.warnOnDeprecatedApi( - "Deno.ConnectTlsOptions.certFile", - new Error().stack, - "Pass the cert file's contents to the `Deno.ConnectTlsOptions.caCerts` option instead.", - ); - - deprecatedCertFile = certFile; - certFile = undefined; - } const keyPair = loadTlsKeyPair("Deno.connectTls", { keyFormat, cert, - certFile, - certChain, key, - keyFile, - privateKey, }); // TODO(mmastrac): We only expose this feature via symbol for now. This should actually be a feature // in Deno.connectTls, however. const serverName = arguments[0][serverNameSymbol] ?? null; const { 0: rid, 1: localAddr, 2: remoteAddr } = await op_net_connect_tls( { hostname, port }, - { certFile: deprecatedCertFile, caCerts, alpnProtocols, serverName }, + { caCerts, alpnProtocols, serverName }, keyPair, ); localAddr.transport = "tcp"; @@ -137,10 +114,7 @@ function hasTlsKeyPairOptions(options) { if (options[resolverSymbol] !== undefined) { return true; } - return (options.cert !== undefined || options.key !== undefined || - options.certFile !== undefined || - options.keyFile !== undefined || options.privateKey !== undefined || - options.certChain !== undefined); + return (options.cert !== undefined || options.key !== undefined); } /** @@ -150,19 +124,8 @@ function hasTlsKeyPairOptions(options) { function loadTlsKeyPair(api, { keyFormat, cert, - certFile, - certChain, key, - keyFile, - privateKey, }) { - if (internals.future) { - certFile = undefined; - certChain = undefined; - keyFile = undefined; - privateKey = undefined; - } - // TODO(mmastrac): remove this temporary symbol when the API lands if (arguments[1][resolverSymbol] !== undefined) { return createTlsKeyResolver(arguments[1][resolverSymbol]); @@ -173,68 +136,18 @@ function loadTlsKeyPair(api, { throw new TypeError('If `keyFormat` is specified, it must be "pem"'); } - function exclusive(a1, a1v, a2, a2v) { - if (a1v !== undefined && a2v !== undefined) { - throw new TypeError( - `Cannot specify both \`${a1}\` and \`${a2}\` for \`${api}\`.`, - ); - } + if (cert !== undefined && key === undefined) { + throw new TypeError( + `If \`cert\` is specified, \`key\` must be specified as well for \`${api}\`.`, + ); } - - // Ensure that only one pair is valid - exclusive("certChain", certChain, "cert", cert); - exclusive("certChain", certChain, "certFile", certFile); - exclusive("key", key, "keyFile", keyFile); - exclusive("key", key, "privateKey", privateKey); - - function both(a1, a1v, a2, a2v) { - if (a1v !== undefined && a2v === undefined) { - throw new TypeError( - `If \`${a1}\` is specified, \`${a2}\` must be specified as well for \`${api}\`.`, - ); - } - if (a1v === undefined && a2v !== undefined) { - throw new TypeError( - `If \`${a2}\` is specified, \`${a1}\` must be specified as well for \`${api}\`.`, - ); - } + if (cert === undefined && key !== undefined) { + throw new TypeError( + `If \`key\` is specified, \`cert\` must be specified as well for \`${api}\`.`, + ); } - // Pick one pair of cert/key, certFile/keyFile or certChain/privateKey - both("cert", cert, "key", key); - both("certFile", certFile, "keyFile", keyFile); - both("certChain", certChain, "privateKey", privateKey); - - if (certFile !== undefined) { - internals.warnOnDeprecatedApi( - "Deno.TlsCertifiedKeyOptions.keyFile", - new Error().stack, - "Pass the key file's contents to the `Deno.TlsCertifiedKeyPem.key` option instead.", - ); - internals.warnOnDeprecatedApi( - "Deno.TlsCertifiedKeyOptions.certFile", - new Error().stack, - "Pass the cert file's contents to the `Deno.TlsCertifiedKeyPem.cert` option instead.", - ); - return op_tls_key_static_from_file(api, certFile, keyFile); - } else if (certChain !== undefined) { - if (api !== "Deno.connectTls") { - throw new TypeError( - `Invalid options 'certChain' and 'privateKey' for ${api}`, - ); - } - internals.warnOnDeprecatedApi( - "Deno.TlsCertifiedKeyOptions.privateKey", - new Error().stack, - "Use the `Deno.TlsCertifiedKeyPem.key` option instead.", - ); - internals.warnOnDeprecatedApi( - "Deno.TlsCertifiedKeyOptions.certChain", - new Error().stack, - "Use the `Deno.TlsCertifiedKeyPem.cert` option instead.", - ); - return op_tls_key_static(certChain, privateKey); - } else if (cert !== undefined) { + if (cert !== undefined) { return op_tls_key_static(cert, key); } else { return op_tls_key_null(); diff --git a/ext/net/lib.deno_net.d.ts b/ext/net/lib.deno_net.d.ts index b2ffffa27..f34fcb0fd 100644 --- a/ext/net/lib.deno_net.d.ts +++ b/ext/net/lib.deno_net.d.ts @@ -232,16 +232,6 @@ declare namespace Deno { options: UnixListenOptions & { transport: "unix" }, ): UnixListener; - /** Provides TLS certified keys, ie: a key that has been certified by a trusted certificate authority. - * A certified key generally consists of a private key and certificate part. - * - * @category Network - */ - export type TlsCertifiedKeyOptions = - | TlsCertifiedKeyPem - | TlsCertifiedKeyFromFile - | TlsCertifiedKeyConnectTls; - /** * Provides certified key material from strings. The key material is provided in * `PEM`-format (Privacy Enhanced Mail, https://www.rfc-editor.org/rfc/rfc1422) which can be identified by having @@ -268,59 +258,6 @@ declare namespace Deno { cert: string; } - /** - * @deprecated This will be removed in Deno 2.0. See the - * {@link https://docs.deno.com/runtime/manual/advanced/migrate_deprecations | Deno 1.x to 2.x Migration Guide} - * for migration instructions. - * - * @category Network - */ - export interface TlsCertifiedKeyFromFile { - /** Path to a file containing a PEM formatted CA certificate. Requires - * `--allow-read`. - * - * @tags allow-read - * @deprecated This will be removed in Deno 2.0. See the - * {@link https://docs.deno.com/runtime/manual/advanced/migrate_deprecations | Deno 1.x to 2.x Migration Guide} - * for migration instructions. - */ - certFile: string; - /** Path to a file containing a private key file. Requires `--allow-read`. - * - * @tags allow-read - * @deprecated This will be removed in Deno 2.0. See the - * {@link https://docs.deno.com/runtime/manual/advanced/migrate_deprecations | Deno 1.x to 2.x Migration Guide} - * for migration instructions. - */ - keyFile: string; - } - - /** - * @deprecated This will be removed in Deno 2.0. See the - * {@link https://docs.deno.com/runtime/manual/advanced/migrate_deprecations | Deno 1.x to 2.x Migration Guide} - * for migration instructions. - * - * @category Network - */ - export interface TlsCertifiedKeyConnectTls { - /** - * Certificate chain in `PEM` format. - * - * @deprecated This will be removed in Deno 2.0. See the - * {@link https://docs.deno.com/runtime/manual/advanced/migrate_deprecations | Deno 1.x to 2.x Migration Guide} - * for migration instructions. - */ - certChain: string; - /** - * Private key in `PEM` format. RSA, EC, and PKCS8-format keys are supported. - * - * @deprecated This will be removed in Deno 2.0. See the - * {@link https://docs.deno.com/runtime/manual/advanced/migrate_deprecations | Deno 1.x to 2.x Migration Guide} - * for migration instructions. - */ - privateKey: string; - } - /** @category Network */ export interface ListenTlsOptions extends TcpListenOptions { transport?: "tcp"; @@ -349,7 +286,7 @@ declare namespace Deno { * @category Network */ export function listenTls( - options: ListenTlsOptions & TlsCertifiedKeyOptions, + options: ListenTlsOptions & TlsCertifiedKeyPem, ): TlsListener; /** @category Network */ @@ -430,16 +367,6 @@ declare namespace Deno { * * @default {"127.0.0.1"} */ hostname?: string; - /** Path to a file containing a PEM formatted list of root certificates that will - * be used in addition to the default root certificates to verify the peer's certificate. Requires - * `--allow-read`. - * - * @tags allow-read - * @deprecated This will be removed in Deno 2.0. See the - * {@link https://docs.deno.com/runtime/manual/advanced/migrate_deprecations | Deno 1.x to 2.x Migration Guide} - * for migration instructions. - */ - certFile?: string; /** A list of root certificates that will be used in addition to the * default root certificates to verify the peer's certificate. * @@ -493,7 +420,7 @@ declare namespace Deno { * @category Network */ export function connectTls( - options: ConnectTlsOptions & TlsCertifiedKeyOptions, + options: ConnectTlsOptions & TlsCertifiedKeyPem, ): Promise<TlsConn>; /** @category Network */ diff --git a/ext/net/lib.rs b/ext/net/lib.rs index c0f94ce1c..098d220db 100644 --- a/ext/net/lib.rs +++ b/ext/net/lib.rs @@ -115,7 +115,6 @@ deno_core::extension!(deno_net, ops_tls::op_tls_key_null, ops_tls::op_tls_key_static, - ops_tls::op_tls_key_static_from_file<P>, ops_tls::op_tls_cert_resolver_create, ops_tls::op_tls_cert_resolver_poll, ops_tls::op_tls_cert_resolver_resolve, diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index 8483e7e66..3ca5adbbe 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -34,8 +34,6 @@ use deno_tls::new_resolver; use deno_tls::rustls::pki_types::ServerName; use deno_tls::rustls::ClientConnection; use deno_tls::rustls::ServerConfig; -use deno_tls::webpki::types::CertificateDer; -use deno_tls::webpki::types::PrivateKeyDer; use deno_tls::ServerConfigProvider; use deno_tls::SocketUse; use deno_tls::TlsKey; @@ -213,32 +211,6 @@ pub fn op_tls_key_static( Ok(TlsKeysHolder::from(TlsKeys::Static(TlsKey(cert, key)))) } -/// Legacy op -- will be removed in Deno 2.0. -#[op2] -#[cppgc] -pub fn op_tls_key_static_from_file<NP>( - state: &mut OpState, - #[string] api: String, - #[string] cert_file: String, - #[string] key_file: String, -) -> Result<TlsKeysHolder, AnyError> -where - NP: NetPermissions + 'static, -{ - { - let permissions = state.borrow_mut::<NP>(); - permissions.check_read(Path::new(&cert_file), &api)?; - permissions.check_read(Path::new(&key_file), &api)?; - } - - let cert = load_certs_from_file(&cert_file)?; - let key = load_private_keys_from_file(&key_file)? - .into_iter() - .next() - .unwrap(); - Ok(TlsKeysHolder::from(TlsKeys::Static(TlsKey(cert, key)))) -} - #[op2] pub fn op_tls_cert_resolver_create<'s>( scope: &mut v8::HandleScope<'s>, @@ -455,21 +427,6 @@ where Ok((rid, IpAddr::from(local_addr), IpAddr::from(remote_addr))) } -fn load_certs_from_file( - path: &str, -) -> Result<Vec<CertificateDer<'static>>, AnyError> { - let cert_file = File::open(path)?; - let reader = &mut BufReader::new(cert_file); - load_certs(reader) -} - -fn load_private_keys_from_file( - path: &str, -) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> { - let key_bytes = std::fs::read(path)?; - load_private_keys(&key_bytes) -} - #[derive(Deserialize)] #[serde(rename_all = "camelCase")] pub struct ListenTlsArgs { diff --git a/tests/specs/future/runtime_api/main.js b/tests/specs/future/runtime_api/main.js index a6415b3c1..1b6caac5f 100644 --- a/tests/specs/future/runtime_api/main.js +++ b/tests/specs/future/runtime_api/main.js @@ -31,40 +31,6 @@ try { } } -// Note: this could throw with a `Deno.errors.NotFound` error if `keyFile` and -// `certFile` were used. -const conn1 = await Deno.connectTls({ - port: tlsPort, - certFile: "foo", - keyFile: "foo", -}); -conn1.close(); -console.log("Deno.ConnectTlsOptions.(certFile|keyFile) do nothing"); - -// Note: this could throw with a `Deno.errors.InvalidData` error if `certChain` -// and `privateKey` were used. -const conn2 = await Deno.connectTls({ - port: tlsPort, - certChain: "foo", - privateKey: "foo", -}); -conn2.close(); -console.log("Deno.ConnectTlsOptions.(certChain|privateKey) do nothing"); - tlsListener.close(); -// Note: this could throw with a `Deno.errors.NotFound` error if `keyFile` and -// `certFile` were used. -try { - Deno.listenTls({ port: tlsPort, keyFile: "foo", certFile: "foo" }); -} catch (error) { - if ( - error instanceof Deno.errors.InvalidData && - error.message === - "Deno.listenTls requires a key: Error creating TLS certificate" - ) { - console.log("Deno.ListenTlsOptions.(keyFile|certFile) do nothing"); - } -} - self.close(); diff --git a/tests/specs/future/runtime_api/main.out b/tests/specs/future/runtime_api/main.out index f69bd1447..70c62c305 100644 --- a/tests/specs/future/runtime_api/main.out +++ b/tests/specs/future/runtime_api/main.out @@ -2,6 +2,3 @@ window is undefined Deno.Listener.prototype.rid is undefined Deno.TlsListener.prototype.rid is undefined Deno.FsFile constructor is illegal -Deno.ConnectTlsOptions.(certFile|keyFile) do nothing -Deno.ConnectTlsOptions.(certChain|privateKey) do nothing -Deno.ListenTlsOptions.(keyFile|certFile) do nothing diff --git a/tests/unit/tls_sni_test.ts b/tests/unit/tls_sni_test.ts index 404f8016e..a8d51108e 100644 --- a/tests/unit/tls_sni_test.ts +++ b/tests/unit/tls_sni_test.ts @@ -25,9 +25,8 @@ Deno.test( return keys[sni]!; }, }; - const listener = Deno.listenTls( - <Deno.ListenTlsOptions & Deno.TlsCertifiedKeyConnectTls> opts, - ); + // @ts-ignore Trust me + const listener = Deno.listenTls(opts); for ( const server of ["server-1", "server-2", "fail-server-3", "fail-server-4"] diff --git a/tests/unit/tls_test.ts b/tests/unit/tls_test.ts index 6e80c984a..0f6ffc15f 100644 --- a/tests/unit/tls_test.ts +++ b/tests/unit/tls_test.ts @@ -68,112 +68,6 @@ Deno.test( ); Deno.test( - { permissions: { net: true, read: false }, ignore: DENO_FUTURE }, - async function connectTLSCertFileNoReadPerm() { - await assertRejects(async () => { - await Deno.connectTls({ - hostname: "deno.land", - port: 443, - certFile: "tests/testdata/tls/RootCA.crt", - }); - }, Deno.errors.NotCapable); - }, -); - -Deno.test( - { permissions: { read: true, net: true }, ignore: DENO_FUTURE }, - function listenTLSNonExistentCertKeyFiles() { - const options = { - hostname: "localhost", - port: 0, - certFile: "tests/testdata/tls/localhost.crt", - keyFile: "tests/testdata/tls/localhost.key", - }; - - assertThrows(() => { - Deno.listenTls({ - ...options, - certFile: "./non/existent/file", - }); - }, Deno.errors.NotFound); - - assertThrows(() => { - Deno.listenTls({ - ...options, - keyFile: "./non/existent/file", - }); - }, Deno.errors.NotFound); - }, -); - -Deno.test( - { permissions: { net: true, read: false }, ignore: DENO_FUTURE }, - function listenTLSNoReadPerm() { - assertThrows(() => { - Deno.listenTls({ - hostname: "localhost", - port: 0, - certFile: "tests/testdata/tls/localhost.crt", - keyFile: "tests/testdata/tls/localhost.key", - }); - }, Deno.errors.NotCapable); - }, -); - -Deno.test( - { - permissions: { read: true, write: true, net: true }, - ignore: DENO_FUTURE, - }, - function listenTLSEmptyKeyFile() { - const options = { - hostname: "localhost", - port: 0, - certFile: "tests/testdata/tls/localhost.crt", - keyFile: "tests/testdata/tls/localhost.key", - }; - - const testDir = Deno.makeTempDirSync(); - const keyFilename = testDir + "/key.pem"; - Deno.writeFileSync(keyFilename, new Uint8Array([]), { - mode: 0o666, - }); - - assertThrows(() => { - Deno.listenTls({ - ...options, - keyFile: keyFilename, - }); - }, Error); - }, -); - -Deno.test( - { permissions: { read: true, write: true, net: true } }, - function listenTLSEmptyCertFile() { - const options = { - hostname: "localhost", - port: 0, - certFile: "tests/testdata/tls/localhost.crt", - keyFile: "tests/testdata/tls/localhost.key", - }; - - const testDir = Deno.makeTempDirSync(); - const certFilename = testDir + "/cert.crt"; - Deno.writeFileSync(certFilename, new Uint8Array([]), { - mode: 0o666, - }); - - assertThrows(() => { - Deno.listenTls({ - ...options, - certFile: certFilename, - }); - }, Error); - }, -); - -Deno.test( { permissions: { net: true } }, async function startTlsWithoutExclusiveAccessToTcpConn() { const { listener, hostname, port } = listenTcp(); @@ -1149,22 +1043,6 @@ Deno.test( Deno.test( { permissions: { read: true, net: true }, ignore: DENO_FUTURE }, - async function connectTLSBadClientCertPrivateKey(): Promise<void> { - await assertRejects(async () => { - await Deno.connectTls({ - hostname: "deno.land", - port: 443, - certChain: "bad data", - privateKey: Deno.readTextFileSync( - "tests/testdata/tls/localhost.key", - ), - }); - }, Deno.errors.InvalidData); - }, -); - -Deno.test( - { permissions: { read: true, net: true }, ignore: DENO_FUTURE }, async function connectTLSBadCertKey(): Promise<void> { await assertRejects(async () => { await Deno.connectTls({ @@ -1180,22 +1058,6 @@ Deno.test( ); Deno.test( - { permissions: { read: true, net: true }, ignore: DENO_FUTURE }, - async function connectTLSBadPrivateKey(): Promise<void> { - await assertRejects(async () => { - await Deno.connectTls({ - hostname: "deno.land", - port: 443, - certChain: Deno.readTextFileSync( - "tests/testdata/tls/localhost.crt", - ), - privateKey: "bad data", - }); - }, Deno.errors.InvalidData); - }, -); - -Deno.test( { permissions: { read: true, net: true } }, async function connectTLSBadKey(): Promise<void> { await assertRejects(async () => { @@ -1213,22 +1075,6 @@ Deno.test( Deno.test( { permissions: { read: true, net: true }, ignore: DENO_FUTURE }, - async function connectTLSNotPrivateKey(): Promise<void> { - await assertRejects(async () => { - await Deno.connectTls({ - hostname: "deno.land", - port: 443, - certChain: Deno.readTextFileSync( - "tests/testdata/tls/localhost.crt", - ), - privateKey: "", - }); - }, Deno.errors.InvalidData); - }, -); - -Deno.test( - { permissions: { read: true, net: true }, ignore: DENO_FUTURE }, async function connectTLSNotKey(): Promise<void> { await assertRejects(async () => { await Deno.connectTls({ @@ -1244,31 +1090,6 @@ Deno.test( ); Deno.test( - { permissions: { read: true, net: true }, ignore: DENO_FUTURE }, - async function connectWithClientCert() { - // The test_server running on port 4552 responds with 'PASS' if client - // authentication was successful. Try it by running test_server and - // curl --key tests/testdata/tls/localhost.key \ - // --cert tests/testdata/tls/localhost.crt \ - // --cacert tests/testdata/tls/RootCA.crt https://localhost:4552/ - const conn = await Deno.connectTls({ - hostname: "localhost", - port: 4552, - certChain: Deno.readTextFileSync( - "tests/testdata/tls/localhost.crt", - ), - privateKey: Deno.readTextFileSync( - "tests/testdata/tls/localhost.key", - ), - caCerts: [Deno.readTextFileSync("tests/testdata/tls/RootCA.pem")], - }); - const result = decoder.decode(await readAll(conn)); - assertEquals(result, "PASS"); - conn.close(); - }, -); - -Deno.test( { permissions: { read: true, net: true } }, async function connectWithCert() { // The test_server running on port 4552 responds with 'PASS' if client @@ -1294,56 +1115,6 @@ Deno.test( ); Deno.test( - { permissions: { read: true, net: true }, ignore: DENO_FUTURE }, - async function connectTlsConflictingCertOptions(): Promise<void> { - await assertRejects( - async () => { - await Deno.connectTls({ - hostname: "deno.land", - port: 443, - cert: Deno.readTextFileSync( - "tests/testdata/tls/localhost.crt", - ), - certChain: Deno.readTextFileSync( - "tests/testdata/tls/localhost.crt", - ), - key: Deno.readTextFileSync( - "tests/testdata/tls/localhost.key", - ), - }); - }, - TypeError, - "Cannot specify both `certChain` and `cert`", - ); - }, -); - -Deno.test( - { permissions: { read: true, net: true }, ignore: DENO_FUTURE }, - async function connectTlsConflictingKeyOptions(): Promise<void> { - await assertRejects( - async () => { - await Deno.connectTls({ - hostname: "deno.land", - port: 443, - cert: Deno.readTextFileSync( - "tests/testdata/tls/localhost.crt", - ), - privateKey: Deno.readTextFileSync( - "tests/testdata/tls/localhost.crt", - ), - key: Deno.readTextFileSync( - "tests/testdata/tls/localhost.key", - ), - }); - }, - TypeError, - "Cannot specify both `key` and `privateKey` for `Deno.connectTls`.", - ); - }, -); - -Deno.test( { permissions: { read: true, net: true } }, async function connectTLSCaCerts() { const conn = await Deno.connectTls({ @@ -1359,20 +1130,6 @@ Deno.test( Deno.test( { permissions: { read: true, net: true } }, - async function connectTLSCertFile() { - const conn = await Deno.connectTls({ - hostname: "localhost", - port: 4557, - certFile: "tests/testdata/tls/RootCA.pem", - }); - const result = decoder.decode(await readAll(conn)); - assertEquals(result, "PASS"); - conn.close(); - }, -); - -Deno.test( - { permissions: { read: true, net: true } }, async function startTLSCaCerts() { const plainConn = await Deno.connect({ hostname: "localhost", @@ -1397,7 +1154,7 @@ Deno.test( const connectPromise = Deno.connectTls({ hostname, port, - certFile: "tests/testdata/tls/RootCA.crt", + caCerts: [await Deno.readTextFile("tests/testdata/tls/RootCA.crt")], }); const [conn1, conn2] = await Promise.all([acceptPromise, connectPromise]); listener.close(); @@ -1615,8 +1372,8 @@ Deno.test( Deno.listenTls({ hostname: "localhost", port: 0, - certFile: "tests/testdata/tls/invalid.crt", - keyFile: "tests/testdata/tls/localhost.key", + cert: Deno.readTextFileSync("tests/testdata/tls/invalid.crt"), + key: Deno.readTextFileSync("tests/testdata/tls/localhost.key"), }); }, Deno.errors.InvalidData); }, @@ -1629,21 +1386,21 @@ Deno.test( Deno.listenTls({ hostname: "localhost", port: 0, - certFile: "tests/testdata/tls/localhost.crt", - keyFile: "tests/testdata/tls/invalid.key", + cert: Deno.readTextFileSync("tests/testdata/tls/localhost.crt"), + key: Deno.readTextFileSync("tests/testdata/tls/invalid.key"), }); }, Deno.errors.InvalidData); }, ); Deno.test( - { ignore: DENO_FUTURE, permissions: { net: true, read: true } }, + { permissions: { net: true, read: true } }, function listenTLSEcKey() { const listener = Deno.listenTls({ hostname: "localhost", port: 0, - certFile: "tests/testdata/tls/localhost_ecc.crt", - keyFile: "tests/testdata/tls/localhost_ecc.key", + cert: Deno.readTextFileSync("tests/testdata/tls/localhost_ecc.crt"), + key: Deno.readTextFileSync("tests/testdata/tls/localhost_ecc.key"), }); listener.close(); }, diff --git a/tests/unit_node/tls_test.ts b/tests/unit_node/tls_test.ts index 6033efa31..4ee622a67 100644 --- a/tests/unit_node/tls_test.ts +++ b/tests/unit_node/tls_test.ts @@ -10,10 +10,8 @@ import * as stream from "node:stream"; const tlsTestdataDir = fromFileUrl( new URL("../testdata/tls", import.meta.url), ); -const keyFile = join(tlsTestdataDir, "localhost.key"); -const certFile = join(tlsTestdataDir, "localhost.crt"); -const key = Deno.readTextFileSync(keyFile); -const cert = Deno.readTextFileSync(certFile); +const key = Deno.readTextFileSync(join(tlsTestdataDir, "localhost.key")); +const cert = Deno.readTextFileSync(join(tlsTestdataDir, "localhost.crt")); const rootCaCert = Deno.readTextFileSync(join(tlsTestdataDir, "RootCA.pem")); for ( |